> How did you confirm that d_path() shows /branch_ro/README.txt?
a kernel part of the openvz checkpoint/restore preform a checks about
a path of the opened files. Then it tells:
setting up checkpoint...
suspend...
Can not suspend container: Device or resource busy
Error: file struct is referenced outside 3 4
Checkpointing failed
Not understanding this message I removed a checks. And checkpoint is
performed. But then a restore failed with message:
Restoring container ...
Restore error, undump failed: No such file or directory
Error: rst_open_file: failed to lookup path
'/livecd/images/_vz_private_202/ct-202-01-base.lzm/lib/libnss_files-2.12.so'
The path of the file in the message is a real path to the file in
squashfs branch. And rst_open_file() don't want to open a file
outside of the container root.
A removed check was in d_path and looks like this:
fs/dcache.c
* The other option is to allow exposing of known abstract spaces
* explicitly and hide the path information for other cases.
* This approach is more safe, let's take it. 2001/04/22 SAW
*/
if (!(oldmnt->mnt_sb->s_flags & MS_NOUSER) &&
!ve_accessible_veid(vfsmnt->owner, get_exec_env()->veid)) {
retval = ERR_PTR(-EINVAL);
goto out_err;
}
ve_accessible_veid() checks that path is accessible inside a container root.
In out example it must begin with /mnt/union but really starts with /branch_ro
If I use a user space bindfs like this
mkdir /mnt/union2
bindfs /mnt/union /mnt/union2
and /mnt/union2 as a container root fs then all check are passed and
suspend/resume is performed.
PS: can you suggest a more direct test? I will try to search exploits
for a container escape case regarding to a path of the opened file
(like this one
http://comments.gmane.org/gmane.linux.kernel.containers.lxc.general/7261
)
2014-07-17 9:46 GMT+04:00, sf...@users.sourceforge.net
<sf...@users.sourceforge.net>:
>
> Sergey Korshunoff:
>> return a real path for a file located inside union. Example:
>> /mnt/union
>> /branch_rw
>> /branch_ro
>> mount -t aufs o dirs=/branch_rw=rw,/branch_ro=ro none /mnt/union
>> For the file README.txt in /branch_ro opened by program from
>> /mnt/union/README.txt a path returned by a kernel d_path will be
>> /branch_ro/README.txt and not a /mnt/union/README.txt
>> Is a path translation layer implemented by current version of aufs?
>
> How did you confirm that d_path() shows /branch_ro/README.txt?
>
>
> J. R. Okajima
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
